Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » best practice: webserver behind router
  •  
ppatel

Messages: 12
Karma: 0
Send a private message to this user
Hello,
We have a simple server set up with an IIS box running our local intranet, and just added a Kerio mail server on another box. We only have 1 ip address on a simple router acting as a gateway.

In the past we just set up port forwarding and sent all port 80 traffic to the web server.

What do you guys recommend we do to set up so mail.mydomain.com goes to kerio box rather than the regular iis box which is intranet.mydomain.com

We are using windows server so we may be able to set up a dns server and send all traffic to it.

Not sure but looking to see if someone who has set this up before can shed some light.

Thanks in advance,
P Patel
  •  
anthony.somerset

Messages: 144

Karma: 0
Send a private message to this user
unless your router is capable of doing name based forwarding then you cant do this, unless you forward another port (say 81) to port 80 on the mail server, this is how we do it and it actually helps reduce some spam/hack attacks because we dont use standard port mappings

Mac Xserve Intel - 2x 2.7GHz Dual Core Xeon
Leopard 10.5.8
4GB Ram
1.25 TB HDD Raid 5
Kerio 6.7.1
~60 Users (varying windows and mac Exchange or IMAP)
18 iPhones
  •  
ppatel

Messages: 12
Karma: 0
Send a private message to this user
thanks,

How about using dns on a windows server to catch all of the port requests and split them from there?

Anyone have luck with that?

If not I think port 81 is a good idea, just difficult when people are trying to access it from the road (you know how people are).


P Patel
  •  
anthony.somerset

Messages: 144

Karma: 0
Send a private message to this user
if i have read this rightly you could set up a windows server as an ISA server to do this (microsoft ISA server) but straight out the box with standard win server doing it via dns would only work internally

as forwarding all the traffic to the ms server to direct would result in a local ip to be returned to the user which would be useless outside the network, i have been looking at this and short of upgrading your router to a much more expensive model or (cheaper solution) buying another static IP i cant find anyother way of doing it

hopefully someone with more knowledge than me can prove me otherwise Smile

[Updated on: Tue, 30 September 2008 01:10]


Mac Xserve Intel - 2x 2.7GHz Dual Core Xeon
Leopard 10.5.8
4GB Ram
1.25 TB HDD Raid 5
Kerio 6.7.1
~60 Users (varying windows and mac Exchange or IMAP)
18 iPhones
  •  
ppatel

Messages: 12
Karma: 0
Send a private message to this user
OK,
I can use the port www.mysite.com (goes to our intranet) and www.mysite.com:90 goes to the kerio webmail.

Does anyone know how to do this: Instead of www.mysite.com:90 use mail.mysite.com to forward over to port 90 of that ip address?

I am using a simple router / gateway and I set up port forwarding but it doesn't look at any of the sub-domain names.

anyone have any ideas on this? Thanks for all of the feedback,
P Patel
  •  
anthony.somerset

Messages: 144

Karma: 0
Send a private message to this user
i have already suggested 2 solutions already

buying an extra static ip and making mail.mysite.com go to kerio on the second ip (just need to make sure your intranet only listens on your old ip)

buy an enterprise grade router ( or MS ISA server) and set it to do the name based forwarding

there is a third option that works for web browsing but not for mail clients, and that is webhop, but i have no experience in this because its not really a correct solution, just put the port number into the A record for mail.mysite.com (eg xxx.xxx.xxx.xxx:90)
i have never tested this so i do not know how that works, it may be that it also works with email clients but i have not tested it

Mac Xserve Intel - 2x 2.7GHz Dual Core Xeon
Leopard 10.5.8
4GB Ram
1.25 TB HDD Raid 5
Kerio 6.7.1
~60 Users (varying windows and mac Exchange or IMAP)
18 iPhones
  •  
RHarmsen.nl

Messages: 189

Karma: 0
Send a private message to this user
You might consider using HTTPS for the mailserver.

Then you just setup a forwarding page on the webserver to redirect http://mail.domain.com to https://mail.domain.com and you are good.
  •  
anthony.somerset

Messages: 144

Karma: 0
Send a private message to this user
i would suggest that as a better solution.

one other suggestion is changing your intranet to a different port, because it would also make your intranet slightly more private because most people then wont come accross it by accident as you will provide the address to your staff and they can access as normal

if you point both mail.mysite.com and intranet.mysite.com and they will both work fine, its just your ports that are the problem.

Mac Xserve Intel - 2x 2.7GHz Dual Core Xeon
Leopard 10.5.8
4GB Ram
1.25 TB HDD Raid 5
Kerio 6.7.1
~60 Users (varying windows and mac Exchange or IMAP)
18 iPhones
  •  
ppatel

Messages: 12
Karma: 0
Send a private message to this user
A name based router sounds like a good plan. does anyone here use one in particular?

P Patel
  •  
ppatel

Messages: 12
Karma: 0
Send a private message to this user
We have extra IP's but the router can only be configured with one.

We might look into a router with multiple IP's if that is something you guys suggest?

This would allow us to bring in our www. intranet. and mail. all under one roof.

Thoughts?

P Patel
  •  
anthony.somerset

Messages: 144

Karma: 0
Send a private message to this user
i beleive any decent belkin or netgear can handle multiple static IP's

also the speedtouch by thompson (ST585) which i currently use looks like it can handle multiple public IP's and also assign them to different "interfaces" (eg your mailserver)

i dont have any other info currently

Mac Xserve Intel - 2x 2.7GHz Dual Core Xeon
Leopard 10.5.8
4GB Ram
1.25 TB HDD Raid 5
Kerio 6.7.1
~60 Users (varying windows and mac Exchange or IMAP)
18 iPhones
  •  
sedell

Messages: 1168
Karma: 1
Send a private message to this user
It must be a pretty basic device if it only supports one IP. I would suggest getting equipment that will handle multiple IPs. Not only does it give you access to your other IP addresses (one IP address is too limiting), but they usually have a much more robust set of features that will open up a lot more possibilities.

Scott
  •  
sproket90

Messages: 37
Karma: 0
Send a private message to this user
anthony.somerset wrote on Tue, 30 September 2008 16:33

i beleive any decent belkin or netgear can handle multiple static IP's

also the speedtouch by thompson (ST585) which i currently use looks like it can handle multiple public IP's and also assign them to different "interfaces" (eg your mailserver)

i dont have any other info currently



I hear Kerio makes a decent firewall, that I know handles more then 1 ip address on the external NIC. The logging functionality alone makes it a better choice than any belkin or netgear.

It runs on standard pc hardware that is easy to get in case of a hardware issue.

Razz

  •  
anthony.somerset

Messages: 144

Karma: 0
Send a private message to this user
i believe you are thinking of kerio webstar

not sure how that works as never had experiance of it, it would just the same as my suggestion of using MS ISA server

however a much simpler (and far cheaper) option is to purchase a router that supports multiple static IP's

Mac Xserve Intel - 2x 2.7GHz Dual Core Xeon
Leopard 10.5.8
4GB Ram
1.25 TB HDD Raid 5
Kerio 6.7.1
~60 Users (varying windows and mac Exchange or IMAP)
18 iPhones
  •  
sproket90

Messages: 37
Karma: 0
Send a private message to this user
anthony.somerset wrote on Wed, 08 October 2008 22:35

i believe you are thinking of kerio webstar

not sure how that works as never had experiance of it, it would just the same as my suggestion of using MS ISA server

however a much simpler (and far cheaper) option is to purchase a router that supports multiple static IP's


if you are referring to my comment..

no I am thinking of Kerio Winroute Firewall, which running on XP or 2003 server, you can bind several IP addresses to the external NIC. Then you can Route the first external IP to IIS and the second external IP address to the Kerio Mailserver. I do it all the time. It's not as inexpensive as a hardware device, but it is more reliable, provides much better logging and is easy to fix if something breaks. Go see if you can get parts for a watchguard firewall at the local computer store. Smile

[Updated on: Tue, 14 October 2008 04:24]

Previous Topic: Storage limits for multiple users
Next Topic: Connection attempt to service HTTPS rejected: too many connections
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Fri Sep 22 12:04:02 CEST 2017

Total time taken to generate the page: 0.00542 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.